Korgo worm variant

Some days ago we received some reports about probes for port 113.
Today Symantec upgraded the Korgo .F variant from a Category 2 to Category 3, "due to an increased rate of submissions".

This worm bot variant explores the Microsoft Windows LSASS Buffer Overrun Vulnerability (MS04-011). According to Symantec it also listens on port 113, 3067 and other random ports.

The F-secure Weblog reports about a .G version.

When active, the worm tries to connect on the following IRC servers on port 6667:

irc.kar.net

gaspode.zanet.org.za

lia.zanet.net

irc.tsk.ru

london.uk.eu.undernet.org

washington.dc.us.undernet.org

los-angeles.ca.us.undernet.org

brussels.be.eu.undernet.org

caen.fr.eu.undernet.org

flanders.be.eu.undernet.org

graz.at.eu.undernet.org

gaz-prom.ru

moscow-advokat.ru


And join the #waffen-ss channel to create a bot with a random name.
References: http://www.sarc.com/avcenter/venc/data/w32.korgo.f.html

http://www.europe.f-secure.com/v-descs/korgo_g.shtml
-----------------------------------------------

Handler on duty: Pedro Bueno (bueno_AT_ieee.org)